igor - Fotolia
Top execs cyber security hypocrites, report shows
There is a critical disconnect between the cyber security behaviour that top executives recommend and the way they behave themselves, while many firms do not know where their data lives and moves, a report reveals
More than seven in 10 CEOs admit they have taken valuable intellectual property (IP) from a former employer, according to report that shows top executive defy data security best practices and company policy.
Despite this behavior, 78% of CEOs polled agree that ideas, in the form of IP, are still the most precious asset in the enterprise, showing a disconnect between what executives say and do.
Additionally, 93% of CEOs say they keep a copy of their work on a personal device, outside the relative safety of company servers or cloud applications, according to a report by security firm Code42 that underscores the need for a data security strategy that acknowledges the reality of human behaviour.
While companies spend billions to prevent data loss, the research suggests that data remains vulnerable to employee transgressions – and the C-suite is among the worst offenders.
Further demonstrating a disconnect between what top leaders say and what they do, 63% of CEOs polled admitted to clicking on a link they should not have or did not intend to, putting their corporate and potentially personal data at risk from malware.
And 59% of CEOs admit to downloading software without knowing whether it is approved by corporate security. The majority of business leaders (77%t) believe their IT department would view this behavior as a security risk, but they do it anyway.
The findings, detailed in Code42’s 2018 Data exposure report, raise concerns about the role of human emotions in risky data security practices. The findings also underline the need for a realistic data security strategy that not only addresses human behavior, but also takes both prevention and recovery into account.
Read more about security policy
- A good password policy alone is not enough.
- Configure security policies with confidence.
- Use policy and guidance to help secure messaging apps.
- Six simple cloud security policies you need to know.
The report is based on a survey of 1,034 security and IT leaders in the UK, US and Germany, including CSOs, CTOs, CISOs and CIOs, as well as 600 business leaders, all with budgetary decision-making power.
“It’s clear that even the best-intentioned data security policies are no match for human nature,” said Jadee Hanson, Code42’s chief information security officer.
“Understanding how emotional forces drive risky behaviour is a step in the right direction, as is recognising ‘disconnects’ within the organisation that create data security vulnerabilities. In a threat landscape that is getting increasingly complex, prevention-only strategies are no longer enough.”
According to Code42, the report’s findings underline the need for a realistic data security strategy that not only addresses human behaviour, but also takes both prevention and recovery into account.
The report reveals that the CISO’s job is becoming significantly more challenging, even in organisations that have the best cyber security policies and tools in place.
“The risks boil down to a lack of data visibility,” the report said, with 73% of security and IT leaders saying they believe that some company data exists only on endpoints and 70% admitting that losing all corporate data held on endpoint devices would be business-destroying or seriously disruptive.
Breaches going public
The survey reveals that 64% of CISOs believe their company will have a breach in the next 12 months that will go public, 61% say their company has already experienced a breach in the last 18 months, and the threat of cyber attack has led nearly 73% of CISOs to stockpile cryptocurrency to pay cyber criminals, with 79% admitting they have paid a ransom.
According to the report, the findings underscore the unnecessary use of resources to respond to cyber threats in this way.
“With a comprehensive data security strategy that includes visibility, companies would have a better understanding of what happened and when. As a result, they would be positioned to recover from data loss incidents much faster,” the report said.
Despite the disconnect between what they practice and what they preach, the report indicates that business leaders understand the need for a multi-pronged security approach in today’s complex threat landscape, with 72% of CISOs and 80% of CEOs saying they believe their companies have to improve their ability to recover from a breach in the next 12 months.
Three-quarters of CISOs and 74% of CEOs believe their security strategies need to change from prevention-only to prevention- and recovery-driven security.
“The time has come for the enterprise to make itself resilient. IT, security and business leaders need to arm themselves with facts about how the emotional forces that drive employee work styles impact data security policy,” said Rob Westervelt, research director for the security products group at IDC.
“To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organisation against both internal and external threats.”